feat: remove deprecated sbom flag

Author: G-Rath

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -1133,7 +1133,6 @@ DESCRIPTION:
 
 OPTIONS:
    --lockfile string, -L string [ --lockfile string, -L string ]                    scan package lockfile on this path
-   --sbom string, -S string [ --sbom string, -S string ]                            [DEPRECATED] scan sbom file on this path, the sbom file name must follow the relevant spec
    --recursive, -r                                                                  check subdirectories
    --no-ignore                                                                      also scan files that would be ignored by .gitignore
    --include-git-root                                                               include scanning git root (non-submoduled) repositories
@@ -1298,22 +1297,10 @@ No package sources found, --help for usage information.
 ---
 
 [TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names - 1]
-Warning: --sbom has been deprecated in favor of -L
 
 ---
 
 [TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names - 2]
-Failed to parse SBOM "./testdata/locks-many/composer.lock": Invalid SBOM filename.
-If you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification.
-invalid SBOM filename: ./testdata/locks-many/composer.lock
-
----
-
-[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 1]
-
----
-
-[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 2]
 could not determine extractor, requested spdx
 
 ---
@@ -1356,8 +1343,7 @@ No issues found
 
 ---
 
-[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs - 1]
-Warning: --sbom has been deprecated in favor of -L
+[TestCommand/one_specific_supported_sbom_with_duplicate_purls - 1]
 Scanned <rootdir>/testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages
 Filtered 1 local/unscannable package/s from the scan.
 Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
@@ -1374,73 +1360,18 @@ Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medi
 
 ---
 
-[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs - 2]
+[TestCommand/one_specific_supported_sbom_with_duplicate_purls - 2]
 
 ---
 
-[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 1]
-Scanned <rootdir>/testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages
-Filtered 1 local/unscannable package/s from the scan.
-Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
-0 vulnerabilities can be fixed.
-
-
-+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+
-| OSV URL                               | CVSS | ECOSYSTEM | PACKAGE | VERSION   | FIXED VERSION | SOURCE                                         |
-+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+
-| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0  | Alpine    | musl    | 1.2.3-r4  | --            | testdata/sbom-insecure/with-duplicates.cdx.xml |
-| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5  | Alpine    | zlib    | 1.2.10-r0 | --            | testdata/sbom-insecure/with-duplicates.cdx.xml |
-| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8  | Alpine    | zlib    | 1.2.10-r0 | --            | testdata/sbom-insecure/with-duplicates.cdx.xml |
-+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+
-
----
-
-[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 2]
-
----
-
-[TestCommand/one_specific_supported_sbom_with_invalid_PURLs - 1]
-Warning: --sbom has been deprecated in favor of -L
+[TestCommand/one_specific_supported_sbom_with_invalid_purls - 1]
 Scanned <rootdir>/testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages
 Filtered 7 local/unscannable package/s from the scan.
 No issues found
 
 ---
 
-[TestCommand/one_specific_supported_sbom_with_invalid_PURLs - 2]
-
----
-
-[TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 1]
-Scanned <rootdir>/testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages
-Filtered 7 local/unscannable package/s from the scan.
-No issues found
-
----
-
-[TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 2]
-
----
-
-[TestCommand/one_specific_supported_sbom_with_vulns - 1]
-Warning: --sbom has been deprecated in favor of -L
-Scanned <rootdir>/testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages
-Filtered 1 local/unscannable package/s from the scan.
-Total 2 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
-0 vulnerabilities can be fixed.
-
-
-+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+
-| OSV URL                               | CVSS | ECOSYSTEM | PACKAGE | VERSION   | FIXED VERSION | SOURCE                                |
-+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+
-| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0  | Alpine    | musl    | 1.2.3-r4  | --            | testdata/sbom-insecure/alpine.cdx.xml |
-| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5  | Alpine    | zlib    | 1.2.10-r0 | --            | testdata/sbom-insecure/alpine.cdx.xml |
-| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8  | Alpine    | zlib    | 1.2.10-r0 | --            | testdata/sbom-insecure/alpine.cdx.xml |
-+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+
-
----
-
-[TestCommand/one_specific_supported_sbom_with_vulns - 2]
+[TestCommand/one_specific_supported_sbom_with_invalid_purls - 2]
 
 ---
 

cmd/osv-scanner/scan/source/command.go

@@ -30,17 +30,6 @@ func Command(stdout, stderr io.Writer, client *http.Client) *cli.Command {
 				Usage:     "scan package lockfile on this path",
 				TakesFile: true,
 			},
-			&cli.StringSliceFlag{
-				Name:    "sbom",
-				Aliases: []string{"S"},
-				Usage:   "[DEPRECATED] scan sbom file on this path, the sbom file name must follow the relevant spec",
-				Action: func(_ context.Context, _ *cli.Command, _ []string) error {
-					cmdlogger.Warnf("Warning: --sbom has been deprecated in favor of -L")
-
-					return nil
-				},
-				TakesFile: true,
-			},
 			&cli.BoolFlag{
 				Name:    "recursive",
 				Aliases: []string{"r"},
@@ -124,8 +113,6 @@ func action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, clien
 	scannerAction := helper.GetCommonScannerActions(cmd, scanLicensesAllowlist)
 
 	scannerAction.LockfilePaths = cmd.StringSlice("lockfile")
-	//nolint:staticcheck // ignore our own deprecated field
-	scannerAction.SBOMPaths = cmd.StringSlice("sbom")
 	scannerAction.Recursive = cmd.Bool("recursive")
 	scannerAction.NoIgnore = cmd.Bool("no-ignore")
 	scannerAction.DirectoryPaths = cmd.Args().Slice()

cmd/osv-scanner/scan/source/command_test.go

@@ -47,47 +47,26 @@ func TestCommand(t *testing.T) {
 			Args: []string{"", "source", "--all-vulns", "./testdata/sbom-insecure/only-unimportant.spdx.json"},
 			Exit: 1,
 		},
-		// one specific supported sbom with vulns
-		{
-			Name: "one specific supported sbom with vulns",
-			Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/alpine.cdx.xml"},
-			Exit: 1,
-		},
 		{
 			Name: "one specific supported sbom with vulns using -L flag",
 			Args: []string{"", "source", "-L", "./testdata/sbom-insecure/alpine.cdx.xml"},
 			Exit: 1,
 		},
 		// one specific supported sbom with vulns and invalid PURLs
 		{
-			Name: "one specific supported sbom with invalid PURLs",
-			Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/bad-purls.cdx.xml"},
-			Exit: 0,
-		},
-		{
-			Name: "one specific supported sbom with invalid PURLs using -L flag",
+			Name: "one_specific_supported_sbom_with_invalid_purls",
 			Args: []string{"", "source", "-L", "./testdata/sbom-insecure/bad-purls.cdx.xml"},
 			Exit: 0,
 		},
 		// one specific supported sbom with duplicate PURLs
 		{
-			Name: "one specific supported sbom with duplicate PURLs",
-			Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/with-duplicates.cdx.xml"},
-			Exit: 1,
-		},
-		{
-			Name: "one specific supported sbom with duplicate PURLs using -L flag",
+			Name: "one_specific_supported_sbom_with_duplicate_purls",
 			Args: []string{"", "source", "-L", "./testdata/sbom-insecure/with-duplicates.cdx.xml"},
 			Exit: 1,
 		},
 		// one file that does not match the supported sbom file names
 		{
-			Name: "one file that does not match the supported sbom file names",
-			Args: []string{"", "source", "--sbom", "./testdata/locks-many/composer.lock"},
-			Exit: 127,
-		},
-		{
-			Name: "one file that does not match the supported sbom file names using -L flag",
+			Name: "one_file_that_does_not_match_the_supported_sbom_file_names",
 			Args: []string{"", "source", "-L", "spdx:./testdata/locks-many/composer.lock"},
 			Exit: 127,
 		},

pkg/osvscanner/osvscanner.go

@@ -64,9 +64,6 @@ type ScannerActions struct {
 	// license scanning
 	ScanLicensesSummary   bool
 	ScanLicensesAllowlist []string
-
-	// Deprecated: in favor of LockfilePaths
-	SBOMPaths []string
 }
 
 type ExperimentalScannerActions struct {

pkg/osvscanner/scan.go

@@ -19,7 +19,6 @@ import (
 	transitivedependencyrequirements "github.com/google/osv-scalibr/enricher/transitivedependency/requirements"
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scalibr/extractor/filesystem"
-	"github.com/google/osv-scalibr/extractor/filesystem/simplefileapi"
 	"github.com/google/osv-scalibr/fs"
 	"github.com/google/osv-scalibr/inventory"
 	"github.com/google/osv-scalibr/log"
@@ -169,7 +168,7 @@ func scan(accessors ExternalAccessors, actions ScannerActions) (*inventory.Inven
 	// map[path]parseAs
 	overrideMap := map[string]filesystem.Extractor{}
 	// List of specific paths the user passes in so that we can check that they all get processed.
-	specificPaths := make([]string, 0, len(actions.LockfilePaths)+len(actions.SBOMPaths))
+	specificPaths := make([]string, 0, len(actions.LockfilePaths))
 
 	statsCollector := fileOpenedPrinter{
 		filesExtracted: make(map[string]struct{}),
@@ -202,32 +201,6 @@ func scan(accessors ExternalAccessors, actions ScannerActions) (*inventory.Inven
 		}
 	}
 
-	// --- SBOMs (Deprecated) ---
-	// none of the SBOM extractors need configuring
-	sbomExtractors := scalibrplugin.Resolve([]string{"sbom"}, []string{}, &cpb.PluginConfig{})
-
-SBOMLoop:
-	for _, sbomPath := range actions.SBOMPaths {
-		absPath, err := pathToRootMap(rootMap, sbomPath, actions.Recursive)
-		if err != nil {
-			return nil, err
-		}
-		specificPaths = append(specificPaths, absPath)
-
-		for _, se := range sbomExtractors {
-			// All sbom extractors are filesystem extractors
-			sbomExtractor := se.(filesystem.Extractor)
-			if sbomExtractor.FileRequired(simplefileapi.New(absPath, nil)) {
-				overrideMap[absPath] = sbomExtractor
-				continue SBOMLoop
-			}
-		}
-		cmdlogger.Errorf("Failed to parse SBOM %q: Invalid SBOM filename.", sbomPath)
-		cmdlogger.Errorf("If you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification.")
-
-		return nil, fmt.Errorf("invalid SBOM filename: %s", sbomPath)
-	}
-
 	// --- Add git commits directly ---
 	gitDirectPlugin := gitcommitdirect.New(actions.GitCommits)